stackoom
  简体   繁体   中英

How to validate Azure AD B2C token from query string in Asp.net Core?

 原文  2019-05-21 13:09:27       asp.net-core/ signalr/ azure-ad-b2c/ asp.net-core-signalr

Question

I have a asp.net web api application with some controllers and a signalR hub. JWT tokens validation with Azure AD B2C is configured like this: 

services.AddAuthentication(AzureADB2CDefaults.JwtBearerAuthenticationScheme)
        .AddAzureADB2CBearer(options => _configuration.Bind("AzureAdB2C", options))

This works fine with controllers, and I don't have to worry about the intricacies of Azure AD B2C token validation .

Now, for the signalR hub to support Web Sockets or Server-sent events, the authentication token should be read from the querystring . I'm supposed to handle the OnMessageReceived event like this : 

services.AddAuthentication(...)
    .AddJwtBearer(options =>
        {
            options.Events = new JwtBearerEvents
            {
                OnMessageReceived = context =>
                {
                    var accessToken = context.Request.Query["access_token"];

                    // If the request is for our hub...
                    var path = context.HttpContext.Request.Path;
                    if (!string.IsNullOrEmpty(accessToken) &&
                        (path.StartsWithSegments("/hubs/chat")))
                    {
                        // Read the token out of the query string
                        context.Token = accessToken;
                    }
                    return Task.CompletedTask;
                }
            };
        });

Unfortunately, the AzureAdB2COptions object does not give me access to the authentication events.

How can I reconcile both approaches ?

1 answers

solution1
 0  2019-05-21 13:30:02

Maybe get a little more manual by writing your own AuthenticationHandler. You can use the IServiceCollection extensions of .AddAuthorization and .AddAuthentication to write your own logic that does the things that are supposed to happen.

What I find with C# in a post-dotnet core world, use as little of their framework as is necessary to hook in to it. The framework stuff is all janky and brittle, and in 5 years when they've redone it all 3 times nobody will be able to maintain the bizarre 5-year old fluent builder stuff in every Startup.cs.

Writing your own AuthenticationHandler is a good compromise between using a single-line fluent builder extension method vs. completely ignoring the entire framework and writing your own framework that uses logic and reason.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ASP.NET Core 3.1 how to return 401 Unauthorized instead of Challenge with Azure AD B2C How to get user information in ASP.NET Core 3.1 from Azure AD B2C user store? ASP.NET 5 API - Azure AD B2C Where to implement Azure AD B2C with React frontend and ASP.NET Core 6 backend Asp.Net Core 2.0 and Azure AD B2C for authentication on WebApp and API Can I use Azure AD B2c as secondary authentication provider in asp.net core application? Azure AD B2C - ASP.NET Core SignUp Link Azure AD B2C with ASP.NET Core - Unable to go to edit profile ASP.NET Core Auth not staying signed in after browser closes (Azure AD B2C) Use Azure AD B2C Cookie across ASP.Net Core Web Apps
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM